-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_cosmosdb_account
: support for CMK through managed_hsm_key_id
property
#26521
Conversation
0e151f9
to
6d71df2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR!
I've taken a look through and left some comments inline, but this is mostly looking good to me 👍
@wuxu92 Thank you and it now LGTM! |
return "" | ||
} | ||
|
||
func parseKeyvauleID(keyRaw string, requireVersion VersionType) (*parse.NestedItemId, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we're going to need the Key Vault Environment here in the future, for when the Key Vault nested items take the environment, so we should probably thread that through now, since this'll be used in a bunch of places?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reasonable, I pushed a commint to update it.
package customermanagedkeys | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/hashicorp/go-uuid" | ||
) | ||
|
||
// ManagedHSMKeyTempalte: Helper function to generate a template for HSM key acceptance tests | ||
// Ensure `azurerm_client_config.current` datasource is defined before using this template. | ||
// Verify there are no resource address conflicts in the caller of this template. | ||
func ManagedHSMKeyTempalte(randomInteger int, randomString string, purgeProtectionEnabled bool, principalRefs []string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets not do this, we should not be sharing test configuration between services as sometimes different services require slightly different setups. Not to mention it moves the test config away from the tests
so could we please change this to maybe CosmosDBManagedHSMKeyTempalte
and include it in the cosmosdb service folder somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review. I removed this file and moved the test configuration to the Cosmos DB account's test file.
tested with an exsiting hsm key:
--- PASS: TestAccCosmosDBAccount_ManagedHSMUri (952.33s)
PASS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @wuxu92, I took another pass. Could you take a look?
Description: "The versionless encryption key url.", | ||
}, | ||
|
||
"managed_hsm_key_id": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this is only specified in the schema. Can we revert this change and open another PR for this change if we're looking to add it to netapp account encryption?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed and rebased main branch to resolve the conflict.
|
||
// FlattenKeyVaultOrManagedHSMID uses `KeyVaultOrManagedHSMKey.SetState()` to save the state, which this function is designed not to do. | ||
func FlattenKeyVaultOrManagedHSMID(id string, keyVaultEnv, hsmEnv environments.Api) (*KeyVaultOrManagedHSMKey, error) { | ||
_ = keyVaultEnv |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be here? It doesn't look like keyVaultEnv is being used in this function at all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I placed the keyvault environment here for future use, similar to the HSM environment. I removed it for now, but we can add it back when needed.
// ManagedHSMKeyTempalte: Helper function to generate a template for HSM key acceptance tests | ||
// Ensure `azurerm_client_config.current` datasource is defined before using this template. | ||
// Verify there are no resource address conflicts in the caller of this template. | ||
func ManagedHSMKeyTempalte(randomInteger int, randomString string, purgeProtectionEnabled bool, principalRefs []string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do like the idea of having a template for hsm as it's complicated to get going but I also saw in other resources that the setup for hsm was different.
Also, having a template used across services makes it possible that if the template changes for a certain resource, it could break the tests in other resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I removed the file and moved the config content to the specific test case.
wantErr: false, | ||
}, | ||
{ | ||
name: "fail with no version provided", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe we should fail if the version isn't specified as some resources take versionless ids
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also expand these tests to include versioned ids?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added new test case for versionless key vault id.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for getting all those changes in @wuxu92
azurerm_cosmosdb_account
: support CMK from Managed HSM with managed_hsm_key_id
propertyazurerm_cosmosdb_account
: support for CMK through managed_hsm_key_id
property
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Community Note
Description
internal/customermanagedkeys/
to parse and flatten CMKs from KeyVault or MHSM, and to generate the necessary configuration for AccTest requiring a Managed HSM key.PR Checklist
For example: “
resource_name_here
- description of change e.g. adding propertynew_property_name_here
”Changes to existing Resource / Data Source
Testing
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_cosmosdb_account
- support CMK from Managed HSM [azurerm_cosmosdb_account - Support for Key Vault Keys from a Managed HSM #26357]This is a (please select all that apply):
Related Issue(s)
Fixes #26357
Note
If this PR changes meaningfully during the course of review please update the title and description as required.